Block "/**/ORDER/**/BY/**/" in the argument

nigelhorne · Apr 1, 2024 · 5d466ff · 5d466ff
1 parent a1d4c9e
commit 5d466ff
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/Changes b/Changes
@@ -5,6 +5,7 @@ Revision history for CGI-Info
 	Added t/version.t
 	Added t/tabs.t
 	Mark ias_crawler and ZoominfoBot as robots
+	Block "/**/ORDER/**/BY/**/" in the argument
 
 0.80	Fri Jan 19 08:05:29 EST 2024
 	Added documentroot() as a synonym to rootdir()

diff --git a/lib/CGI/Info.pm b/lib/CGI/Info.pm
@@ -757,6 +757,7 @@ sub params {
 			   ($value =~ /((\%27)|(\'))union/ix) ||
 			   ($value =~ /select[[a-z]\s\*]from/ix) ||
 			   ($value =~ /\sAND\s1=1/ix) ||
+			   ($value =~ /\/\*\*\/ORDER\/\*\*\/BY\/\*\*/ix) ||
 			   ($value =~ /exec(\s|\+)+(s|x)p\w+/ix)) {
 				if($self->{logger}) {
 					if($ENV{'REMOTE_ADDR'}) {